From: Unnathi Chalicheemala <unnathi.chalicheemala@oss.qualcomm.com>
To: Sudeep Holla <sudeep.holla@kernel.org>
Cc: Jens Wiklander <jens.wiklander@linaro.org>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org,
kernel@oss.qualcomm.com,
Trilok Soni <trilok.soni@oss.qualcomm.com>,
Satya Durga Srinivasu Prabhala <satya.prabhala@oss.qualcomm.com>
Subject: Re: [PATCH] firmware: arm_ffa: Fix NULL dereference in ffa_partition_info_get()
Date: Tue, 16 Jun 2026 14:14:59 -0700 [thread overview]
Message-ID: <eb50b45d-ad04-4da7-8cfa-6e1abb1ffba4@oss.qualcomm.com> (raw)
In-Reply-To: <20260612-fat-energetic-hummingbird-8ddc62@sudeepholla>
On 6/12/2026 3:55 AM, Sudeep Holla wrote:
>
>> Per the FF-A spec, the all-zeros UUID is the defined wildcard that
>> instructs the SPMC to return information for all partitions. Map NULL
>> and empty string to uuid_null rather than crashing in uuid_parse(),
>> preserving the intended "return all partitions" semantics for callers
>> that pass NULL.
>>
>
> Agreed on the spec part but not w.r.t the interface. Where is the driver
> using this call and why is it sending null or wants to extract all the
> partition information ?
>
A developer wanting all partitions might reasonably pass the all-zeros string
"00000000-0000-0000-0000-000000000000"?
>> Fixes: d0c0bce83122 ("firmware: arm_ffa: Setup in-kernel users of FFA partitions")
>> Signed-off-by: Unnathi Chalicheemala <unnathi.chalicheemala@oss.qualcomm.com>
>> ---
>> drivers/firmware/arm_ffa/driver.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
>> index b9f17fda7243..dd500fb81b79 100644
>> --- a/drivers/firmware/arm_ffa/driver.c
>> +++ b/drivers/firmware/arm_ffa/driver.c
>> @@ -1129,7 +1129,9 @@ static int ffa_partition_info_get(const char *uuid_str,
>> uuid_t uuid;
>> struct ffa_partition_info *pbuf;
>>
>> - if (uuid_parse(uuid_str, &uuid)) {
>> + if (!uuid_str || uuid_str[0] == '\0') {
>> + uuid = uuid_null;
>
> I object to make it uuid_null. Below check is enough to check NULL
> dereference.
>
> - if (uuid_parse(uuid_str, &uuid)) {
> + if (!uuid_str || uuid_parse(uuid_str, &uuid)) {
>
>
> I don't think we need to service NULL as valid argument via this interface
> as the callee driver needs to pass its partition UUID here.
>
I agree with you, NULL doesn't seem like a valid use case.
Will send another version with your suggestion, thank you for the review.
Regards,
Unnathi
next prev parent reply other threads:[~2026-06-16 21:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 20:19 [PATCH] firmware: arm_ffa: Fix NULL dereference in ffa_partition_info_get() Unnathi Chalicheemala
2026-06-12 10:55 ` Sudeep Holla
2026-06-16 21:14 ` Unnathi Chalicheemala [this message]
2026-06-17 9:06 ` Sudeep Holla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eb50b45d-ad04-4da7-8cfa-6e1abb1ffba4@oss.qualcomm.com \
--to=unnathi.chalicheemala@oss.qualcomm.com \
--cc=jens.wiklander@linaro.org \
--cc=kernel@oss.qualcomm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=satya.prabhala@oss.qualcomm.com \
--cc=sudeep.holla@kernel.org \
--cc=trilok.soni@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox